CVE-2026-32735: CWE-20: Improper Input Validation in Chrimle io.github.chrimle:openapi-to-java-records-mustache-templates-parent
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
AI Analysis
Technical Summary
The vulnerability arises from improper input validation (CWE-20) in the openapi-to-java-records-mustache-templates-parent project. The parent POM file uses the maven-dependency-plugin to unpack .mustache files from the openapi-to-java-records-mustache-templates artifact without sufficient security controls. If the artifact is compromised to include malicious .mustache files, these files would be unpacked automatically during dependency updates, potentially leading to unintended code execution or other impacts. The parent POM is published but not intended for external use, and the vulnerability is fixed in version 3.5.1 of the parent POM.
Potential Impact
The impact is limited due to the low CVSS score (2.3) and the fact that the parent POM is not intended for production or external use. The main risk is that if the openapi-to-java-records-mustache-templates artifact is compromised, malicious .mustache files could be unpacked automatically, potentially leading to security issues during build or dependency update processes. There are no known exploits in the wild.
Mitigation Recommendations
A fix is available in version 3.5.1 of openapi-to-java-records-mustache-templates-parent. It is strongly recommended not to use the parent POM for external or production purposes. Users should upgrade to version 3.5.1 or later to address this vulnerability. Since the parent POM is primarily for testing and maintainability, avoiding its use in production environments mitigates the risk.
CVE-2026-32735: CWE-20: Improper Input Validation in Chrimle io.github.chrimle:openapi-to-java-records-mustache-templates-parent
Description
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
CVSS v4.0
Score 2.3low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from improper input validation (CWE-20) in the openapi-to-java-records-mustache-templates-parent project. The parent POM file uses the maven-dependency-plugin to unpack .mustache files from the openapi-to-java-records-mustache-templates artifact without sufficient security controls. If the artifact is compromised to include malicious .mustache files, these files would be unpacked automatically during dependency updates, potentially leading to unintended code execution or other impacts. The parent POM is published but not intended for external use, and the vulnerability is fixed in version 3.5.1 of the parent POM.
Potential Impact
The impact is limited due to the low CVSS score (2.3) and the fact that the parent POM is not intended for production or external use. The main risk is that if the openapi-to-java-records-mustache-templates artifact is compromised, malicious .mustache files could be unpacked automatically, potentially leading to security issues during build or dependency update processes. There are no known exploits in the wild.
Mitigation Recommendations
A fix is available in version 3.5.1 of openapi-to-java-records-mustache-templates-parent. It is strongly recommended not to use the parent POM for external or production purposes. Users should upgrade to version 3.5.1 or later to address this vulnerability. Since the parent POM is primarily for testing and maintainability, avoiding its use in production environments mitigates the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-13T15:02:00.627Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69bb2706771bdb1749cae220
Added to database: 3/18/2026, 10:28:22 PM
Last enriched: 6/2/2026, 8:20:12 PM
Last updated: 6/17/2026, 11:19:38 AM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.